Use the Standard Syntax for More Advanced Searches

This topic describes how to form more advanced queries using the Standard search syntax. This topic addresses more advanced searches, including the following:

  • Analytic Metadata Searches — Available for documents in Project Data, indexed at the Analytic Index level (the default Indexing level). Each Analytic Metadata Search finds key information based on a given type of view, including the following:
    • Batch Views
    • Cluster Views
    • Custodian Views
    • Export Views
    • Group Views for Folders
    • Media ID Views
    • Tag Views

    In general, when searching for a named Analytic Metadata view, you will get an error if the view name you supply does not exist. In general, put the appropriate view name in double quotes if the name includes a space. (Tag view syntax does support the search for any Tag view using tag_view::any.) Also, you will get an error if you perform an Analytic Metadata view search (or an Analytic Metadata field <exists> search) against a Data Set or all Imports.

  • Regular Expression (Pattern) Searches
  • Email Relationship Searches
  • Key Metadata Searches for parsing status, document class, email message source, hidden data and annotations, and language.

For information about basic queries, see Use the Standard Search Syntax for Basic Queries.

Note: New Projects use the Standard syntax.

Batch View Search

batch_view::<batch_view>

This search finds documents within a given Batch view in Project Data.

batch_view::batch001

Cluster View Search

cluster_view::<cluster_view> [cluster_value [subcluster_value]]

This search finds documents that reside within a Clustered view of Project Data.

Note: For this release, the cluster_view search format still requires CaseData (for example, CaseData-2) for Project Data clusters/subclusters.

Examples:

cluster_view:: myfolder-4-1

cluster_view:: CaseData-1-1

Custodian View or Group View Search

custodian_view::<custodian_view>

group_view::<folder>

This search finds documents within a Project Data-based view such as a Custodian view, or a Group view such as a Folder that you create.

Note: If the Custodian view or Group view name contains a special character not explicitly prohibited by name validation, such as (), the view name must be enclosed in double quotes. As an alternative, you can escape the character. See Add a New Custodian or Edit a Custodian Entry for name validation information for Custodians and Add a New Folder or Edit a Folder for name validation information for Folders.

Examples:

custodian_view::plaintiffa

custodian_view::em*

custodian_view::"(mydr)"

custodian_view::"david white"

group_view::folder*

group_view::folder1

Export View and Export View DocID Search

export_view::<streamName>[<volumeName>]

You can search for documents in an exported stream view by using export_view:: followed by the export stream name. To search for a volume, supply the same syntax but also add a hyphen followed by the volume name (not case-sensitive).

Examples:

export_view::export1

export_view::export1-vol0001

You can also search for a document in the export view and a volume by using the variation export_view_docid:: followed by the export stream name, volume, and DocID.

The following examples show a search for a single document with an export view doc ID, and an inclusive range search for documents in the specified range of export view doc IDs. For more information about Range Searches, see Use the Standard Search Syntax for Basic Queries.

For a search using a single export view doc ID (not a range search), you can use wildcards for the different portions of the format, each separated by a - (for example, export_view_docid::*-*-DOC0000000003).

Examples:

export_view_docid::export1-VOL0001-DOC0000000003

export_view_docid::[testexportdupesvol-VOL0001-DOC0000000001~~testexportdupesvol-VOL0001-DOC0000000048]

Media ID View Search

mediaid_view::<mediaid_view>

This search finds documents within a given Media ID view in Project Data.

mediaid_view::"outlook journal"

Tag View Search

tag_view:: " <tag_name_with_spaces> " or tag_view:: <tag_name>

tag_view:: any

Use the first syntax to find documents tagged with the specified tag of <tag_name>. Use the second syntax to find any tagged documents in a view of Project Data.

Usage notes:

  • Tag view names are not case-sensitive.
  • You can use a wildcard to specify a Tag view name.
  • Use double quotes if the Tag name includes a space.
  • Use double quotes if the name includes a special character not prohibited by name validation, or escape special characters in a Tag name.

Note: If the Tag view name contains a special character not explicitly prohibited by name validation, such as (), the view name must be enclosed in double quotes. As an alternative, you can escape the character. See Add a New Tag or Edit a Tag for name validation information.

Examples:

tag_view::"Potentially Responsive" AND tag_view::*hot

tag_view::"Potentially Not Hot" AND tag_view::"Potentially Not Privileged" AND NOT music

tag_view::*not* AND legal system

tag_view::any

tag_view::savings_loan

tag_view::"(dr)"

Parsing Status Search

parsingstatus::<code_or_name>

This search enables you to identify documents with a given parsing status.

You can search using the 5-digit parsing code, the text, or both in the field, since the field is tokenized and is not case-sensitive. See the Warnings and Errors table in View Data Set Reports for a list of parsing status codes and descriptions.

Examples:

parsingstatus::00005

parsingstatus::no*

Regular Expression Syntax Search

"## <regex>"

In some situations, you may want to perform a search using regular expression syntax. This search uses quotation marks followed by ## to introduce regular expression syntax, and uses quotation marks to end the search.

For more information about regular expression syntax for use in creating or editing a Pattern, see Pattern (Regex) Syntax.

If you enclose a regular expression search in parentheses, you must leave a space before the ending parentheses of the clause (see the last example).

Examples:

"##199[0-9]"

"##\d\d\d"

"##politic(s|ian|al)"

("##politic(s|ian|al)" AND "##scien(tist|tific)" )

Relationship Searches

Use these searches to find information about Email family (Message Attachment Group) or EDoc family (Document Attachment Group) relationships based on a search query. This can be any supported query, specified in parentheses, for content, metadata, or a token (for data processed prior to 4.3.11.0). Note the following:

  • These relationship operators function within the scope of the current view being searched. They will not go beyond the scope of the current view serving as the search target.

  • These relationship operators do not apply to loose container files (that is, files with a docclass of ARCHIVE, MESSAGE_ARCHIVE, or DISK_IMAGE).

  • A token search query (for data processed prior to release 4.3.11.0) must be placed within single quotes.

child_of(search_query) – Based on the results of a query, returns each immediate child, as follows:

  • The first-level attachments of Emails, both Email and EDoc attachments.
  • The first-level OLE attachments of EDocs with embedded OLEs.

children_of(search_query) – Based on the results of a query, returns all child-level items in the respective Email families or EDoc families, per the following logic:

  • If the results include the parent of a family, this relationship search returns all immediate (first-level) children, as well as any other children below that level (for example, secondary children).
  • If the results include one child of a family but not the parent, this relationship search would only return the child-level records attached to the resulting child.

family_of(search_query) – Based on the results of a query, and within the scope of the current view being searched, adds all remaining family members to their appropriate families. These are either Email families, called Message Attachment Groups (MAGs), or EDoc families, called Document Attachment Groups(DAGs). This operator will not go beyond the scope of the current view serving as the search target. For example, when searching within a current results view, the query family_of(to::barbara@myco.com) returns all documents from the result view that have barbara@myco.com in the to field, including all remaining family members in the view that don't hit on the search query. 

parent_of(search_query) – Based on the results of a query, returns each immediate parent, as follows:

  • The immediate Email parent of an Email or EDoc attached to an email. If the Email parent is itself attached to another Email, the top-level Email is not necessarily returned, depending on the results.
  • The immediate EDoc parent of an embedded OLE attachment, in both Email and EDoc families where the OLE exists. If the OLE is part of an Email family, the top-level Email containing the EDoc with the OLE attachment is not necessarily returned, depending on the results.

root_of(search_query) – Based on the results of a query, returns the top-level parents of both Email families (MAGs) and EDoc families (DAGs).

Examples:

child_of("golden gate")

children_of("house arrest")

family_of(from::bob@myco.com)

parent_of(author::"john smith")

root_of(subject::"patent pending")

Document Class Searches

docclass:: <class>

Use this field search to find all documents of a certain class. This field is not case-sensitive for the purposes of search, but it is not tokenized, so you must either specify the entire name of the class or use wildcards. Use it to find these classes:

  • Message (for email messages)
  • Message_Attachment (for email attachments)
  • Message_OLE_Attachment (for embedded files extracted from a Message_Attachment or another Message_OLE_Attachment). These are listed in the Index.
  • EDoc (for files that are not email, any type of attachment, or any type of archive/disk image)
  • EDoc_OLE_Attachment (for embedded files extracted from an EDoc or an EDoc _OLE_Attachment). These are listed in the Index.
  • Message_Archive (for email archives)
  • Archive (for compressed files or file archives, such as RAR, TAR, ZIP)
  • Disk_Image (for disk images such as EWF)
  • Directory (for imported directories)

Examples:

docclass::edoc

docclass::edoc_ole*

docclass::message_ar*

docclass::message_attach*

docclass::directory

Email Source Search

msgsource::<email_source>

Use this field search to find all documents of a certain email message source type. This field is not case-sensitive for the purposes of search, but it is not tokenized, so you must either specify the entire name or use wildcards. Use it to find these email sources:

  • Lotus_Notes (email and items extracted from Lotus Notes NSF)
  • Outlook (email and items extracted from Microsoft PST/OST))
  • Bloomberg (for loose emails identified as Bloomberg messages from Bloomberg archives)
  • Bloomberg_IB (for Instant Bloomberg messages)
  • MBox (for emails from RFC 822 Mailboxes)
  • Cellebrite (for emails representing Cellebrite items such as Instant Messages)
  • msg (for loose MSGs)
  • eml (for loose EMLs)

Examples:

msgsource::lotus*

msgsource::bloomberg*

msgsource::outlook

Email Class Search

msgclass::<email_class>

Use this field search to find email items in a given email message class. This field is not case-sensitive for the purposes of search. Use it to find these email classes:

  • email
  • calendar (Calendar items)
  • calresponse (Calendar response emails, to decline, accept, or tentatively accept meeting requests)
  • contact (Contacts)
  • distlist (Distribution Lists)
  • journal (Journal entries)
  • note (MS Outlook Sticky Notes)
  • todo (Tasks)
  • unknown (applies to unsupported and unknown Lotus Notes items that have a parsing status of 00043 UNSUPPORTED_LOTUS_NOTE or 00044 UNKNOWN_LOTUS_NOTE)

Examples:

msgclass::calendar

msgclass::journal

msgclass::calresponse

Hidden Data and Annotations

hiddendata::<hiddendata_terms>

docannotations:: <docannotations_terms>

Use these field searches to find hidden data or document annotations. You can search any part of these tokenized fields, which are not case-sensitive for the purposes of search.

  • hiddendata::<hiddendata_terms> finds the following types of hidden data: Excel_Hidden_Columns, Excel_Hidden_Rows, Excel_Hidden_Worksheets, Excel_VeryHidden_Worksheets, Powerpoint_Hidden_Slides,and Word_Hidden_Text.
  • docannotations:: <docannotations_terms> finds the following types of document annotations: Excel_Auto_Filter, Excel_Comments, Excel_Protected_Worksheets, Excel_Protected_Workbook, Excel_Track_Changes, Pdf_Comments, Word_Comments,and Word_Revisions (to flag edits, even when track changes is disabled), PowerPoint_Comments, or PowerPoint_Notes. As of 5.4.2.0, this field supports Microsoft Office documents that contain Modern Comments and can contain the appropriate value (Excel_Comments, PowerPoint_Comments, or Word_Comments).

Examples:

hiddendata::power*

docannotations::pdf*

hiddendata::excel

Language Search

language::<language_code>

dominantlanguage::<language_code>

Use these field searches to find documents containing the specified language or documents for which the specified language is the dominant language.

Examples (for Chinese and Japanese, respectively):

language::zh*

dominantlanguage::ja

Supported Languages for Language Detection provides a list of the supported languages and their letter codes.

Number of Email Participants Search

You can use a Digital Reef property to help you search for the number of unique email participants, based on information in the to, from, bcc, and cc fields. You can search the numemailparticipants field to help pinpoint email sent exclusively from one person to another. This field search is typically part of a query, as shown in the Example.

Example:

from::jross AND to::jjones AND numemailparticipants::2